CVE-2024-35900

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: reject new basechain after table flag update<br /> <br /> When dormant flag is toggled, hooks are disabled in the commit phase by<br /> iterating over current chains in table (existing and new).<br /> <br /> The following configuration allows for an inconsistent state:<br /> <br /> add table x<br /> add chain x y { type filter hook input priority 0; }<br /> add table x { flags dormant; }<br /> add chain x w { type filter hook input priority 1; }<br /> <br /> which triggers the following warning when trying to unregister chain w<br /> which is already unregistered.<br /> <br /> [ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260<br /> [...]<br /> [ 127.322519] Call Trace:<br /> [ 127.322521] <br /> [ 127.322524] ? __warn+0x9f/0x1a0<br /> [ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260<br /> [ 127.322537] ? report_bug+0x1b1/0x1e0<br /> [ 127.322545] ? handle_bug+0x3c/0x70<br /> [ 127.322552] ? exc_invalid_op+0x17/0x40<br /> [ 127.322556] ? asm_exc_invalid_op+0x1a/0x20<br /> [ 127.322563] ? kasan_save_free_info+0x3b/0x60<br /> [ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260<br /> [ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260<br /> [ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260<br /> [ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]<br /> [ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]<br /> [ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]